Headline Verdana Bold

Controls in a Digital, Agile World

2

Controls Methods in a Digital, Agile World

3

Controls Design MethodsEffective, Risk Aligned Control & Assurance apply to digital programmes just as in ‘traditional’ programmes

Target Operating Model

Strategy Org design People

Technology Data

4

Digital Controls by DesignPrinciple Building Blocks for a robust Control Framework in a digital world

Controls Design Authority Group (CDAG) should be formed to

approve the controls design in line with defined minimum controls

standards. An owner should be identified for owning controls

on a more operational basis.

Governance

1 Take Control of the Robots by implementing access, process and General IT controls (e.g. change management) controls over robots.

Perform validation over machine learning & AI processes.

Take

Control

2

Establish a Control Service Centre as node within the Finance

Shared Service Centre(s). Their remit would increase as the team

matures from initially control testing support and reporting to

exception management and test execution for all non-judgemental

controls.

Shared

Services

3 Risks and Controls should be defined in each business process design document. All of the controls, including controls

over Robots are brought together into a Risk and Control Matrix

(RACM) to avoid gaps and for duplication to be managed in a more

efficient manner.

Process

Design

4

The scope of controls should include process controls, access

controls and General IT controls, on all Finanacial system in

scope.Scope

5 Control Awareness Training should be given emphasising key roles and responsibilities as it relates to control ownership, control

operation and effective monitoring to drive accountability and make

effective above and beyond a ‘box-checking’ exercise. Emphasise

new risks and controls of digitisation and robots.

Control

Awareness

6

Application security should be designed to be flexible and modular

so that roles can be Segregation of Duties (SoD) free, or assigned

a mitigating control from an approved list.

Application security should be extended to Robots – what can

they systems and data can they access, what can they share and

distribute?

Application

Security

7 Standard application configuration should be used to automate controls and relevant ‘inherent controls’ called out in the RACM i.e.

controls that are embedded in the application and do not require

additional configuration.

Use Robotics for Automation of Controls where system

configuration or integration is not available.

Automation

8

Automation of Segregation of Duties (SoD) checks, password

resets and workflow approvals should be put in place to maintain

security post go-live.

Security

Automation

9 A control monitoring or testing regime should be put in place to ensure continuous effectiveness of the controls post go-live –

similar to the ‘real-time’ analytics strategy for other areas.

Automated

Monitoring

10

5

Controls should be designed into Hybrid Agile solutions from the outsetThe application of adaptive, agile concepts and techniques in a traditional, predictive project. When Financial Controls are included in project requirements, they can be delivered in an agile way.

© 2017. For information, contact Deloitte Touche Tohmatsu

Retain from agile• Flexibility

• Business owns priorities and features

• Rapid delivery of product increments

• Value-driven

• Execution discipline

Controls in Hybrid Agile• Predictability

• Requirements include control objectives

• Flexibility at the control activity level

• Enhanced collaboration with internal stakeholders

• Frequent review of increments – Optimised RACM

• Execution discipline

Retain from waterfall• Predictability (scope/requirements,

resources, schedule, and budget)

• Project controls

• Execution discipline

Approach-agnostic - Integrated processes

and controls

6

Control design is integrated into an agile programme by including the requirements in at the discovery stage. It is imperative that this is at the right level – i.e. the control objective level.

The sprint team then has the freedom to design, iterate and build the detailed control activities required to realise the control in the Sprint cycle.

The sprint outcome is then fed forward into the Risk and Control Matrix (RACM), which is iterated and optimized through collaboration between multiple cross-functional sprint teams.

Integrating Controls Design into an agile digital finance programme

Control Objectives

Control Activities

(Detail)Incorporate in

RACM

77

DeliverDesign & Build TestHigh-Level Design

Develop Integrated Work Plan

Develop Master Plan

Prioritisation

Business Process Requirements

DevelopProduct Roadmap

Project & Quality Management

Technology/Infrastructure

Organisational Change Management

Deployment

User Acceptance Test

Support

Integration, Parallel Performance

& Regression Test

High-level Design

Sprint 0

Waterfall Thread (i.e. Data Migration)

▪ Number of sprints determined by project

▪ Sprint plans developed iteratively

Design, Build, and Unit/String Test Sprints

Initial Integration & Regression Test Sprints

▪ Integration and

regression testing

starts earlier

▪ Testing is executed as

code is ready

Plan

Design Build

Sample approach for hybrid agile project – where do controls fit-in?

Control Design

Control Requirements

Control Framework

Optimisation

8

Robotic Control Automation

9

What is Robotic Process Automation (RPA)?

Software!

Robots can provide a ‘thin layer’ of controls over systems where ‘standard’

configuration is not available i.e. Robotic Control Automation!

10

What processes are suitable to deploy with Robotic Control Automation?

Anything that is rules based and repetitive – Shared Services is a good place to start

Sample processes suitable for robotics, illustrative

Sample Activities for Robotic Control Automation

• Logging onto web / multiple enterprise applications

• Scraping data from websites / applications

• Copying and pasting data

• Following if/then conditions and rules

• Extracting and reformatting data into reports or dashboards

• Extracting structured data from documents

• Merging data from multiple places

• Making calculations

• Filling in forms

• Reading and writing to databases

11

Controlling Robotised Processes

Creating a robust control environment in the digital world – the same fundamentals

• Controls are in place to secure robots and prevent unauthorised use, disclosure, damage or loss of data

• IT operational procedures are in place and provide for well controlled scheduling and monitoring of Robots, and provide reasonable assurance that incidents and exception alerts are identified, escalated and resolved.

• All changes (acquisitions or developments of new systems, system enhancements, upgrades and bug fixes) to SOX relevant robots and their supporting infrastructure are logged, authorised and appropriately tested

• Access to create, change or stop robots must be strictly restricted

• Access to modify a robot posting should be logged and monitored

• SoD between business users and robot managers / developers

• Appropriate system event and security logs are maintained and routinely reviewed for exceptions

• Defined responsibility for monitoring robots performance and exception management or manual resolution

• Processes are in place to routinely review configuration against policies (e.g. tolerances)

• Routinely perform validation over the accuracy of machine learning conclusions (i.e. inappropriate data fed to AI tools can ‘alter’ their performance without going through a change management process)

Co

ntr

ol

Ob

jecti

ves

Co

ntr

ol

Acti

vit

ies

Access and Security Controls

Exception

Managmnt.

Controls

Change

Managmnt.

Controls

12

Additional Digital RisksIn addition to the other risks and controls discussed above, increasing digitisation brings new risks that need to be controlled

Digital Risk

Data Governance and Digital

Rights Management

Model Validation and

Testing

Regulatory Compliance

Decision Governance

and Accountability

Business Impact

Assessment

Resilience Planning and Cyber Risk

13

Appendix

14

Secure the Digital Core…..

Innovation and agility is driven by cloud applications, robotics, AI and ‘edge’ technologies

15

Contact

For more information please contact:

Wivine Massaut

Director Deloitte Belgium

+ 32 2 800 22 74

wmassaut@deloitte.com

Julie Van der Planken

Director Deloitte Belgium

+ 32 2 800 27 09

jvanderplanken@deloitte.com

Johan Van Grieken

Partner Deloitte Belgium

+ 32 2 800 24 53

jovangrieken@deloitte.com

mailto:wmassaut@deloitte.commailto:jvanderplanken@deloitte.commailto:jovangrieken@deloitte.com

This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the contents of this publication. Deloitte LLP accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London, EC4A 3BZ, United Kingdom.

Deloitte LLP is the United Kingdom affiliate of Deloitte NWE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NWE LLP do not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

© 2018 Deloitte LLP. All rights reserved.